Update the shadow section after relocating

zeroSteiner · zeroSteiner · commit 929efe84ed56 · 2018-06-28T14:10:16.000-04:00
diff --git a/ReflectivePolymorphism/ReflectivePolymorphism.c b/ReflectivePolymorphism/ReflectivePolymorphism.c
@@ -5,6 +5,29 @@ typedef struct {
 	WORD    type : 4;
 } IMAGE_RELOC, *PIMAGE_RELOC;
 
+DWORD ImageSizeFromHeaders(PDOS_HEADER pDosHeader) {
+	// Calculate the size of of a PE image from the specified DOS headers.
+	//
+	// PDOS_HEADER pDosHeader: The headers to use for the calculation.
+	// Returns: The size of the PE image.
+	PIMAGE_NT_HEADERS pImgNtHeaders = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeader = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeaderLastRaw = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeaderCursor = NULL;
+	DWORD dwCursor = 0;
+
+	pImgNtHeaders = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDosHeader + pDosHeader->e_lfanew);
+	pImgSecHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)pImgNtHeaders + sizeof(IMAGE_NT_HEADERS));
+	pImgSecHeaderLastRaw = pImgSecHeader;
+	for (dwCursor = 0; dwCursor < pImgNtHeaders->FileHeader.NumberOfSections; dwCursor++) {
+		pImgSecHeaderCursor = &pImgSecHeader[dwCursor];
+		if (pImgSecHeaderLastRaw->PointerToRawData < pImgSecHeaderCursor->PointerToRawData) {
+			pImgSecHeaderLastRaw = pImgSecHeaderCursor;
+		}
+	}
+	return (pImgSecHeaderLastRaw->PointerToRawData + pImgSecHeaderLastRaw->SizeOfRawData);
+}
+
 BOOL RebaseImage(PDOS_HEADER pDosHeader, ULONG_PTR uiBaseFrom, ULONG_PTR uiBaseTo) {
 	// Rebase the specified PE image by processing the relocation data as
 	// necessary.
@@ -60,6 +83,61 @@ BOOL RebaseImage(PDOS_HEADER pDosHeader, ULONG_PTR uiBaseFrom, ULONG_PTR uiBaseT
 	return TRUE;
 }
 
+BOOL ShadowSectionCopy(PDOS_HEADER pDosHeader, BOOL bCopyTo) {
+	// Copy data to or from the shadow section. Copying data from the shadow
+	// section effectively restores content from the backup. Copying data to the
+	// shadow section effectively updates backup content.
+	//
+	// PDOS_HEADER pDosHeader: Pointer to the DOS header of the blob to patch.
+	// Returns: TRUE on success.
+	PIMAGE_SECTION_HEADER pImgSecHeaderCopy = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeaderCursor = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeader1 = NULL;
+	PIMAGE_SECTION_HEADER pImgSecHeader2 = NULL;
+	DWORD dwImageSize = 0;
+
+	pImgSecHeaderCopy = SectionHeaderFromName(pDosHeader, SHADOW_SECTION_NAME);
+	if (!pImgSecHeaderCopy) {
+		return FALSE;
+	}
+	if (!pImgSecHeaderCopy->SizeOfRawData) {
+		return FALSE;
+	}
+
+	dwImageSize = ImageSizeFromHeaders(pDosHeader);
+	pImgSecHeaderCursor = (PIMAGE_SECTION_HEADER)((ULONG_PTR)pDosHeader + pImgSecHeaderCopy->PointerToRawData);
+	while (memcmp(pImgSecHeaderCursor->Name, "\x00\x00\x00\x00\x00\x00\x00\x00", 8)) {
+		pImgSecHeader2 = pImgSecHeaderCursor;
+		pImgSecHeaderCursor += 1;
+
+		if (!pImgSecHeader2->SizeOfRawData) {
+			continue;
+		}
+		pImgSecHeader1 = SectionHeaderFromName(pDosHeader, pImgSecHeader2->Name);
+		if (!pImgSecHeader1) {
+			return FALSE;
+		}
+		if (pImgSecHeader1->SizeOfRawData != pImgSecHeader2->SizeOfRawData) {
+			return FALSE;
+		}
+		if (dwImageSize < (pImgSecHeaderCursor->PointerToRawData + pImgSecHeaderCursor->SizeOfRawData)) {
+			return FALSE;
+		}
+		if (bCopyTo) {
+			// swap the pointers if we're copying to the shadow section
+			(ULONG_PTR)pImgSecHeader1 ^= (ULONG_PTR)pImgSecHeader2;
+			(ULONG_PTR)pImgSecHeader2 ^= (ULONG_PTR)pImgSecHeader1;
+			(ULONG_PTR)pImgSecHeader1 ^= (ULONG_PTR)pImgSecHeader2;
+		}
+		CopyMemory(
+			(PVOID)((ULONG_PTR)pDosHeader + pImgSecHeader1->PointerToRawData),
+			(PVOID)((ULONG_PTR)pDosHeader + pImgSecHeader2->PointerToRawData),
+			pImgSecHeader1->SizeOfRawData
+		);
+	}
+	return TRUE;
+}
+
 PIMAGE_SECTION_HEADER SectionHeaderFromRVA(PDOS_HEADER pDosHeader, ULONG_PTR pVirtualAddress) {
 	// Retrieve the section header for the specified Relative Virtual Address
 	// (RVA).
diff --git a/ReflectivePolymorphism/ReflectivePolymorphism.h b/ReflectivePolymorphism/ReflectivePolymorphism.h
@@ -46,6 +46,8 @@
 #define IMAGE_BASE_EXE 0x400000
 #endif
 
+#define SHADOW_SECTION_NAME ".restore"
+
 typedef struct {
 	// short is 2 bytes, long is 4 bytes
 	WORD  signature;
@@ -69,8 +71,14 @@ typedef struct {
 	DWORD e_lfanew;
 } DOS_HEADER, *PDOS_HEADER;
 
+DWORD ImageSizeFromHeaders(PDOS_HEADER pDosHeader);
 BOOL RebaseImage(PDOS_HEADER pDosHeader, ULONG_PTR uiBaseFrom, ULONG_PTR uiBaseTo);
 
+// Shadow section functions
+BOOL ShadowSectionCopy(PDOS_HEADER pDosHeader, BOOL bCopyTo);
+#define ShadowSectionRestore(pDosHeader) ShadowSectionCopy(pDosHeader, FALSE)
+#define ShadowSectionUpdate(pDosHeader) ShadowSectionCopy(pDosHeader, TRUE)
+
 // Section Header retrieval functions
 PIMAGE_SECTION_HEADER SectionHeaderFromName(PDOS_HEADER pDosHeader, PVOID pName);
 PIMAGE_SECTION_HEADER SectionHeaderFromRVA(PDOS_HEADER pDosHeader, ULONG_PTR pVirtualAddress);
diff --git a/ReflectivePolymorphism/ReflectiveTransformer.c b/ReflectivePolymorphism/ReflectiveTransformer.c
@@ -69,7 +69,9 @@ BOOL ReflectiveTransformerToDLL(PDOS_HEADER pDosHeader, DWORD dwAddressOfEntryPo
 		return FALSE;
 	}
 
-	RebaseImage(pDosHeader, (ULONG_PTR)(pImgNtHeaders->OptionalHeader.ImageBase), IMAGE_BASE_DLL);
+	if (RebaseImage(pDosHeader, (ULONG_PTR)(pImgNtHeaders->OptionalHeader.ImageBase), IMAGE_BASE_DLL)) {
+		ShadowSectionUpdate(pDosHeader);
+	}
 
 	pImgNtHeaders->FileHeader.Characteristics |= IMAGE_FILE_DLL;
 	pImgNtHeaders->FileHeader.Characteristics |= IMAGE_FILE_EXECUTABLE_IMAGE;
@@ -94,7 +96,9 @@ BOOL ReflectiveTransformerToEXE(PDOS_HEADER pDosHeader, DWORD dwAddressOfEntryPo
 		return FALSE;
 	}
 	
-	RebaseImage(pDosHeader, (ULONG_PTR)(pImgNtHeaders->OptionalHeader.ImageBase), IMAGE_BASE_EXE);
+	if (RebaseImage(pDosHeader, (ULONG_PTR)(pImgNtHeaders->OptionalHeader.ImageBase), IMAGE_BASE_EXE)) {
+		ShadowSectionUpdate(pDosHeader);
+	}
 
 	pImgNtHeaders->FileHeader.Characteristics &= ~IMAGE_FILE_DLL;
 	pImgNtHeaders->FileHeader.Characteristics |= IMAGE_FILE_EXECUTABLE_IMAGE;
diff --git a/ReflectivePolymorphism/ReflectiveUnloader.c b/ReflectivePolymorphism/ReflectiveUnloader.c
@@ -1,24 +1,5 @@
 #include "ReflectiveUnloader.h"
 
-static DWORD ImageSizeFromHeaders(PDOS_HEADER pDosHeader) {
-	PIMAGE_NT_HEADERS pImgNtHeaders = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeader = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeaderLastRaw = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeaderCursor = NULL;
-	DWORD dwCursor = 0;
-
-	pImgNtHeaders = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDosHeader + pDosHeader->e_lfanew);
-	pImgSecHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)pImgNtHeaders + sizeof(IMAGE_NT_HEADERS));
-	pImgSecHeaderLastRaw = pImgSecHeader;
-	for (dwCursor = 0; dwCursor < pImgNtHeaders->FileHeader.NumberOfSections; dwCursor++) {
-		pImgSecHeaderCursor = &pImgSecHeader[dwCursor];
-		if (pImgSecHeaderLastRaw->PointerToRawData < pImgSecHeaderCursor->PointerToRawData) {
-			pImgSecHeaderLastRaw = pImgSecHeaderCursor;
-		}
-	}
-	return (pImgSecHeaderLastRaw->PointerToRawData + pImgSecHeaderLastRaw->SizeOfRawData);
-}
-
 static BOOL ReflectiveUnloaderUnimport(PDOS_HEADER pDosHeader) {
 	// PDOS_HEADER pDosHeader: Pointer to the DOS header of the blob to patch.
 	// Returns: TRUE on success.
@@ -64,56 +45,6 @@ static BOOL ReflectiveUnloaderUnrelocate(PDOS_HEADER pDosHeader, ULONG_PTR pBase
 	return RebaseImage(pDosHeader, pBaseAddress, (ULONG_PTR)(pImgNtHeaders->OptionalHeader.ImageBase));
 }
 
-static BOOL ReflectiveUnloaderRestoreWritable(PDOS_HEADER pDosHeader) {
-	// Restore the sections that were backed up in the ".restore" section if it
-	// is present. If the ".restore" section is not present, this function will
-	// return FALSE and the resulting PE image will probably be corrupted due to
-	// changes made to writeable sections persisting in the unloaded copy.
-	//
-	// PDOS_HEADER pDosHeader: Pointer to the DOS header of the blob to patch.
-	// Returns: TRUE on success.
-	PIMAGE_SECTION_HEADER pImgSecHeaderCopy = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeaderCursor = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeaderDst = NULL;
-	PIMAGE_SECTION_HEADER pImgSecHeaderSrc = NULL;
-	DWORD dwImageSize = 0;
-
-	pImgSecHeaderCopy = SectionHeaderFromName(pDosHeader, ".restore");
-	if (!pImgSecHeaderCopy) {
-		return FALSE;
-	}
-	if (!pImgSecHeaderCopy->SizeOfRawData) {
-		return FALSE;
-	}
-
-	dwImageSize = ImageSizeFromHeaders(pDosHeader);
-	pImgSecHeaderCursor = (PIMAGE_SECTION_HEADER)((ULONG_PTR)pDosHeader + pImgSecHeaderCopy->PointerToRawData);
-	while (memcmp(pImgSecHeaderCursor->Name, "\x00\x00\x00\x00\x00\x00\x00\x00", 8)) {
-		pImgSecHeaderSrc = pImgSecHeaderCursor;
-		pImgSecHeaderCursor += 1;
-
-		if (!pImgSecHeaderSrc->SizeOfRawData) {
-			continue;
-		}
-		pImgSecHeaderDst = SectionHeaderFromName(pDosHeader, pImgSecHeaderSrc->Name);
-		if (!pImgSecHeaderDst) {
-			return FALSE;
-		}
-		if (pImgSecHeaderDst->SizeOfRawData != pImgSecHeaderSrc->SizeOfRawData) {
-			return FALSE;
-		}
-		if (dwImageSize < (pImgSecHeaderCursor->PointerToRawData + pImgSecHeaderCursor->SizeOfRawData)) {
-			return FALSE;
-		}
-		CopyMemory(
-			(PVOID)((ULONG_PTR)pDosHeader + pImgSecHeaderDst->PointerToRawData),
-			(PVOID)((ULONG_PTR)pDosHeader + pImgSecHeaderSrc->PointerToRawData),
-			pImgSecHeaderDst->SizeOfRawData
-		);
-	}
-	return TRUE;
-}
-
 VOID ReflectiveUnloaderFree(PVOID pAddress, SIZE_T dwSize) {
 	// Free memory that was previously allocated by ReflectiveUnloader().
 	//
@@ -198,7 +129,7 @@ PVOID ReflectiveUnloader(HINSTANCE hInstance, PSIZE_T pdwSize) {
 	ReflectiveUnloaderUnrelocate(pDosHeader, pBaseAddress);
 	ReflectiveUnloaderUnimport(pDosHeader);
 	// This step is optional
-	ReflectiveUnloaderRestoreWritable(pDosHeader);
+	ShadowSectionRestore(pDosHeader);
 
 	if (pdwSize) {
 		*pdwSize = dwImageSize;
